The IT landscape is a crowded one. While it may have been dominated by a couple of companies in the past, now there are hundreds of vendors. This complex environment means companies struggle to unify their response, and often resort to gluing different solutions together.
With a multitude of threats, a company is going to need multiple security tools. Most organisations spend the vast majority of their budget on perimeter security, but only a third of breaches currently take place there. Is this short-sighted, or just the way we’ve always done things?
Who’s had a breach or a security incident in the last year?
Three or four hands go up.
Who’s heard of someone who’s had a breach?
Everyone puts their hands up.
What are your pain points with security? “Wannacry,” says Mpilo Khuluse, head of infrastructure, McDonalds. He says it’s difficult to handle because of the ransom attempts associated with the weakness, and that it could be devastating if one isn’t prepared.
Khuluse says he can’t disclose that (to laughter), but it remains a challenge for McDonalds.
“If you don’t protect your perimeter, you’re always going to have a problem.”
Gus Clarke, head of security at Tari, was on the South African Banking Risk Information Centre’s expert working group. He says a common problem encountered is users being compromised through email, perhaps phishing, which then leads to more attacks. It’s also difficult to prevent, he adds.
Tumediso Lobelo, MD, Tulo Vation, a cyber security startup, agrees that it’s a constant battle, and that user education remains a key defence. It’s also worth considering what access you grant to employees. What apps can they use? And what about social media?
Nathan Desfontaines, Managing Director, CyberSec, says measures such as antivirus, perimeter security and IPS (intrusion prevention systems) are all maturing technologies. There have also been improvements in securing the mobile user.
However, he maintains people are still the biggest challenge, the education of whom leads to greater awareness.
“Do they understand how to identify, where to report, who to alert, how to respond?” he asks.
He says he’s been trying to build some values into the culture of his organisation, because you’re never able to say, ‘We’re done. Our staff is now aware.’
There have been improvements, he says, driven in part by traditional awareness videos and campaigns. These campaigns can take the form of simulated phishing and vishing attacks and USB drops, which were mounted to measure how many users are actively thinking about security. This was helpful in that at least we could then begin to measure improvement.
He adds that there have been many attempts to create forums in corporate circles to speak about breach and disclosure and which threats companies are facing.
“Nobody wants to talk about it. It’s a bit of a Catch 22 situation. With some of the problems, we don’t all need to solve everything for the first time.
“I think we’ve got a bit of a disease of relying on technology to drive our strategy. As technology enters the market, we plug it in, in the hope that it’s going to fix a problem, but often it’s a lack of process, or people not abiding by it.
“Get your process working, and get your people on board, and then perhaps consider some technology to help streamline that.”
Is security a grudge purchase in your organisations? How do you put it on the agenda?
Justin Williams, executive for group information security at MTN, says security is very much on the agendas of the board and exco.
“It’s something they’re extremely concerned about, and spend a lot of time and effort understanding. I don’t think any of them expect us to be 100% secure all the time. There’s always a cost involved with security, and there are decisions to be made around where you’re going to spend the available resources.”
Williams says it’s also important to understand the cost balance in a security strategy, and also be prepared for when it does happen.
“It doesn’t matter what you put in place, an incident will happen. You need people at all levels of the organisation to be prepared to respond to an incident ahead of time. You can’t be running around at the time of the incident trying to figure out what you’re going to say to the press.”
Fundile Ntuli, CIO, Ubank, says it takes an incident, in most cases, for an organisation to begin taking security seriously. “It’s not that there’s a lack of awareness or will, but you have to justify spend. Unfortunately, security incidents accelerate progress.”
Kevin Wilson, GM, group IT services, Stefanutti Stocks, says it has to be a painful experience.
Wilson says in his business, he has to deal with SMEs, joint ventures, sub-contractors, and ‘every Tom, Dick and Harry’ and he has little control over all these parties.
“If someone asks whether you’d trade your privacy for convenience, the answer will invariably be in the affirmative.”
If security measures are instituted, it slows down processes, and people aren’t typically willing to make that trade until they’ve paid the price, he says. “Then, they’re willing to do anything you tell them to do.
“Now, we’re scaring the crap out of users regarding their Facebook and other personal accounts, and it’s working way better than telling them that their business account is insecure. That touches closer to home, and we’re changing the culture in that way.”
He adds that he’s finding it very difficult to get his security process right, and that the phishing attacks are becoming more aggressive and focussed.
“They’re using a lot more of the data they’ve scraped out of the internet,” he says, adding that the next technical evolution of security is on its way.
“We can educate our people to death, but the complex patterns that criminals are using, such as AI, to figure out where we are and what we’re doing, we’re going to have to have the same AI to counteract that.”
Desfontaines says, in fact, a company doesn’t need to be breached for it to affect the security of its staff. A breach, in the wild, can compromise staff members because their information can be traced back to their organisation.
Worse, the attackers will then know a bit about the user, such as their address or password, and will be able to tailor an enticing email just for them.
Ubank’s Ntuli says part of the challenge is trying to build strong solutions. “It’s not an issue that a single person can resolve. That’s where these advisory boards will play their part in driving credibility of the industry.”
Malcolm MacDonald, CIO, Clientèle Ltd, says one of the company’s security contractors wrote a simulated phishing attack for the company, and if anyone clicked on it, a screen appears that ‘looks just like Wannacry’. It stays active for 30 seconds, before telling the employee it’s not the real thing. The staff member also has to go through some awareness programmes, before their machine will be unlocked.
“A couple of months ago, when our MD went on leave, the financial director got a mail from ‘him’ just a few minutes later, saying, ‘Can you please make this payment?’ He was able to check the right things to identify that this was a dodgy email.”
MacDonald says this generated a lot of conversation, and many employees also admitted they’d been fooled into clicking on the unsafe link.
“It’s scary, and they realised they would have been compromised if it had been the real thing, but at the same time, they’re really learning what to avoid.”
Original Post Brainstorm Magazine